Protiviti study on IT auditing raises more questions than it answers
There’s a new Protiviti study. Their 2011 IT Audit Benchmarking Survey summarizes the input from nearly 500 professionals and makes a number of observations.
Before getting into those observations, I have a couple of my own:
- The report talks about IT risks – but there is no such thing as an IT risk, only business risks due to a failure of technology. These days, talking separately (from business auditing) about IT audit and IT risks is somewhat ‘old-fashioned’. Companies are now talking more about business risk and the role of IT as both an enabler of solutions and a source of issues. The trend is towards building an audit plan that addresses those business risks and will probably have fewer pure IT audits as a result.
- Most of the issues raised in the report (such as the fact that auditors struggle to keep up with technology) are ages-old. I have been in the profession since 1980 and they were problems then!
Here are their “key trends and takeaways”, with my comments.
“The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.”
- This has been the case since man discovered fire – and the risk of burns came later
- The report did not address whether IT auditors are involved in change projects, whether these are major new ERP implementations, moving infrastructure or applications to the crowd, or the embracing of social media and mobile. Maybe that can be included in the next survey
“IT risks do not garner nearly enough attention in organizations today, and in small companies in particular.”
- IT is a source of business risk, not a risk in-and-of-itself. The study, I think, should have considered whether the internal audit function was looking at business risks – and considering the IT impact as part of that activity
- The Protiviti statement may or may not be correct. Intuitively, as an IT auditor since (it seems) the dawn of computing, I think it is probably correct. But, the level of resources allocated to IT issues should be commensurate with the level of risk and balanced against the need to address other sources of risk.
- In smaller companies (especially), the auditor has to take on all aspects of risk – including IT-related issues. He may be supplemented with co-sourcing.
“A large percentage of companies are not complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.”
- A large part of IT governance activities may be included as part of the audits of IT general controls (which the study shows is allocated a large level of resources).
- Even though the Standards require this, a risk-based planning exercise may have identified this as a lower risk area – and it would have been appropriate, therefore, not to include it in the plan.
- The main standard here, 2110, requires internal audit to assess governance processes in general. That is even more of a problem (fewer assess and report on more than a couple of governance processes) than IT governance.
“Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.”
- See above. There is no such thing as an IT risk, let alone a key IT risk. And, keeping up with technology is a problem for the ages.
“A surprisingly large number of organizations fail to conduct an annual IT risk assessment.”
- Good! They should be assessing business risk and not IT risk.
- Good! It should be a continuing and not an annual process.
“IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.”
- That may or may not be OK. It all depends on where a business risk-based audit program says the resources should be spent.
What do you think? I would appreciate your comments.
Recent Posts on this Blog
- Risk and Culture December 9, 2016
- New guidance on operational risk December 3, 2016
- Why do so many practitioners misunderstand risk? November 26, 2016
- A new front opens in the SOX battle November 20, 2016
- Internal audit reports do the function a great disservice November 12, 2016
- My new book on Auditing that Matters is available November 9, 2016
- Time for a leap change in risk management guidance November 5, 2016
- Cyber security and the board October 29, 2016
- The biggest obstacle to effective risk management October 28, 2016
- A revolution in risk management October 22, 2016
- Why do people commit fraud? October 14, 2016
- What could go wrong with strategy and its execution? October 6, 2016
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- How Much Cyberrisk Should We Take? December 9, 2016
- Do We Know How to Audit Technology-related Risks? December 5, 2016
- The State of Information or Cybersecurity November 28, 2016
- Back to the Future for Internal Audit November 21, 2016
- How Do You Change the Culture of the Organization? November 15, 2016
- Why Does ERM Fail So Often? November 7, 2016
- Incentives and Ethics: Transparency International Speaks Out October 31, 2016
- A COSO Gem Helps Assess Risks and Related Control Deficiencies October 25, 2016
- Focusing on the Wrong Line of Defense October 17, 2016
- Internal Audit and the Internet of Things October 10, 2016